Will It Vibe logoWill It Vibe?
DJANGO-024Critical severity-25 points

Command executed with request input

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.

What it detects

os.system or subprocess.run/call/check_call/check_output/Popen is called with an argument built from request.GET/POST/data/COOKIES/META/body, so shell metacharacters or arguments in that input become command injection.

Why it matters

os.system or a subprocess call built from request.GET/POST/data/COOKIES/META/body hands the operating system a command line containing attacker-controlled text. Shell metacharacters in that input (;, |, &&, backticks, $()) let an attacker run arbitrary commands with the same privileges as the Django process, which is a full server compromise, not just a data leak.

How to fix it

Never build a shell command from request data. If the operation can be done with a Python library instead of shelling out, use that. If a subprocess call is unavoidable, pass a list of arguments (subprocess.run([prog, arg1, arg2], shell=False)) instead of a shell string, and validate each request-derived value against a strict allowlist (an enum of known-safe options) before it reaches the argument list.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks